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A system and method for guaranteeing tho Integrity of a gambling system 

5 This invention relates to secure systems, such os gambling apparatus, and more particularly to a system for 
guaranteeing the integrity of information content in the secure system, such as the control program of 
gambling apparatus. 

It is often the case in electronic gambling systems that a microprocessor electronics based gambling 
system can be customized for different types of play by changing a memory device (such as an EPROM) or 
10 by changing the memory device contents (such as by remotely downloading data into a read-write memory 
•RAM or EPROM). However, it is currently the practice of some state gambling commissions, such as i>iew 
Jersey, U.S.A. to require s sea! be applied to oil circuitry on each circuit board (including the EPROM or RAM) 
as part of the certification process. Thus, inventories must be maintained of the seated boards for each of a 

plurality Ol i MaChincS, bcin »m ~i a T. Li f 3 t o T l P. {) OUtpwt 3»~d *T\o'*T>\a\\%\~%Q b I erpdir SlOCK piie. This C P p T C d C h 13 

15 both costly and inefficient, inasmuch as mony machines have a common nucleus and utilize the same circuit 
beard with a different control memory program for each of a plurality of games being selected by 
interchanging a memory device or its contents. 

Although this approach is costly and cumbersome, there has heretofore been no alternative technique 
provided to perform the important function of guaranteeing tho integrity of the gambling machines. 

20 In accordance with one aspect of the present invention, a system is provided wherein data and associated 
validation information stored in a nonsecure location are verified as to integrity by cryptographic techniques. 
Good integritv verification activates the system to operate »n a first mode, and bad integrity verification 
activates 'he system to operate in a second mode. In a preferred embodiment, the system is a gambling 
system, with a first mode corresponding to user responsive operation and the second mode corresponding 

25 to an alarm mode. Other systems whore tho present invention would be useful include postal metering, 2 5 
electronic mail, electronic funds transfer and other secure data processing systems. 

In accordance with another aspect ol the present invention, the system has an interface port for 
communicating with an external device, such os a central control computer. Data and associated validation 
information are loaded into memory m tho nonsecure location, and the system verifies the integrity of the 

30 data and associated validation information os stored in the memory by cryptographic techniques operatively 30 
relating the data to the associated validation word. The system is activated to either 3 first or second 
operative mode responsive to a verification result of good or had integrity, respectively. 

For example, a central computer could download information to one or a plurality of remotely located 
systems which would coVVi verify the integrity of the information received and stored in its respective 

35 memory. Where the remotely located systems are gambling systems, the downloaded information can be 35 
odds, control programs, random number : -ceds, etc. 

In accordance with one of the illustrated embodiments of the present invention, a gambling apparatus is 
disclosed having a secure portion which is ctMlifrt:n a nu sealed by the Gaming Commission, and having a 
. nonsecure pou : on. not sealed by the Gaming Commission, the integrity of which is verified hy the secure 

40 portion. The secure ponion of trie gambling apparatus comprises a circuit boarr. 1 havirtg a 1 antral processor 
and a first memory. The nonsecure portion of the gambling apparatus is comprised of 3 second portion of 
thecircuit board, or an independent circuit board, having a second memory such as a nonsecure ROM, 
EPROM, or read-write memory (RAM). Utilizing cryptographic techniques, the integrity of the nonsecure 
portion of the system is verified by the secure portion of the system. 

45 The gambling system is operable in three modes, and powers up in a test mode for verifying the integrity 45 
cf the gambling system. Where a positive verification is made that the nonsecure memory (e.g. ROM) has 
satisfactory integrity, the system is activated to an operable mode responsive to player user control inputs. 
Alternatively, where the results of tho test mode is a negative verification showing the nonsecure memory 
does not have good integrity, and gambling system is forced to an inoperable mods nonresponsive to player 

50 user control inputs, and an alarm is activated. 50 
The nonsecure portion of the circuit board, the integrity of which is cryptographirally detectable, has a first 
nonvolatile memory (such as a ROM, PROM. EPROM or EE PROM nonvolatile memory or a read-write (RAM) 
volatile memory) having a validation word stored therein, the validation word being derived from the first 
memory contents according to a first relationship. The validation word is formed by deriving a first value 

55 from the first memory's contents. The validation word is then derived from the tirst value by means of a 55 
nonpublic derivation having an inverse function. The validation word is then combined to form a part of the 
contents of the first memory. 

The secure portion of the circuit board has r p, ocessor and a second nonvolatile memoiy mounted 
thereon. The integrity of the secum portion is overt and detectable, such as by physical seal. The secure 

50 portion of the board includes means for deriving a second value from the validation word of the first memory 
mesns of the inverse function. The secure portion also includes means for comparing the first and second 
values, and means for verifying the integrity ol the second rno.mory. Thr; verification means activates the 
gaming system to the user reponsivc play mode responsive to a comparison result of equality, or activates 
the gaming system to the user nonresponsive (alarm) mode responsive to a comparison result of inequality. 

55 The relationship for deriving the first value, the nonpublic relationship, and the inverse, relationship of the 55 
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non- public relationship, are such thai interrelating or cross deriving cr.3 to another is very complex and an 
extremely difficult and time com uming task. In o preferred embodiment, the encryption function is secret 
and th- inverse function is public. 

A better understanding of the invention may bo had from the following detailed examples, the detailed 
5 description being taken in conjunction with the occompanying drawings in which: 

Figure f is a perspective vie*// of a gaming system such as a video slot gambling machine, illustrating one 
apparatus which can utilize tho present invention; 

Figure 2 is a top view showing ono embodiment of a circuit board as contained in the gaming system of 
Figure 1 having a secure portion and a nonsecure portion; 
10 Figure 3 is a flowchart illustrating one embodiment of the encryption method utilized in accordance with 
one embodiment of the present Invention; 

Figure 4 is a flow chart of the decryption test method as utilized in accordance with one embodiment of the 
present invention; and 

Figure SA D are computer program listings tor one embodiment of the present mention. 
15 Referring now to Figure 1, a gaming system is 6hown illustrative of one embodiment of the present 

invention. A housing 100 is provided which contains the necessary human player control interfaces as well 
as electronic circuitry and mechanics! circuitry, Human player control inputs are provided, such as push 
buttons 1 10 and control handle 120. A viewing area, 130 such as video screen is provided on the front of the 
cabinet housing 100 for player viewing of the gaming machine response to player inputs. Coin shoots 140 
20 are provided for accepting player cons and returning bent coins. The number of credits which the player has 
as well as the active game ditplay arc provided on the visual display means 130. For example, the gaming 
system of Figure 1 ^an be a clot m.v.hine gambling system having 3, 4. or any number of reels, or may 
alternatively ho -~ -^ e r type of (faming or gambling system. Where applicbble, a pay out shoot 145 may be 
provided for outpuuing coins to winning players. 
25 The housing 100 also contain ar. ^..ironic circuit board 200, as shown in Figure 2, which provides the 
control and game electronic circuitry necessary to create the desired gambling system in conjunction with 
the video display 130 and user inir ;r focc controls 110 and 120. Additionally, the housing 100 contains 
necessary power ouppiies, limit switches, etc. necessary to implement the remainder of the desired gaming 
system. 

30 Referring to Figure 2, the circuit board 200 as discussed with reference to Figure 1 is shown in block 
diagram form. The circuit bo^J 200 may be comprised of a single circuit board or of a plurality of circuit 
boards with appropriate interronnociions provided. The circuit board 200 is comprised of two functionally 
separate units, a sealed secured portion 210 and a nonsealed, nonsecure circuit portion 250. The sealed 
circuit board portion 210, as illustrated, contains a microprocessor 220, a read only memory (such as a ROM, 

35 FROM, or EPROM), and miscellaneous electronic and electromechanical circuitry 240. The sealed portion of' 
the c.rcu.t board 210 represents the tealed portion of the gaming system in a physical sealing manner which 
woutd comply with a particular Stato Gaming Commission's requirements. 

The . .ensealed portion of ;r, e circuit board, 250, contains an interconnection socket 260 for a m-mory 
dev.ee, (e.g. for a RAM, ROM, PROM, or EPROM), When the socket 260 provides interconnection for a 

40 read-wnte memory, RAM or EPROM, the data contents of the read-write memory ran be downloaded into 40 
the read-wnte memory. For e/omplc, a control program can be down-loaded from a remote site into the 
read-wnte memory of a local rambling system via an interface port 270 (Figure 2) of the local gambling 
system ana tne downloaded program verified by the secure portion of the circuit board in accordance with 
the teach.ngs of the present invention. Multiple gambling systems can be configured to meet crowd 

45 selection patterns by specifying control progrom 8 either locally or remotely for each system. The systems 
can also be selectively forced inoperative by downloading appropriate control programs. This portion of the 
c.rcu.t board .s not phys.caliy s-ckd, and thus the memory inserted into the ROM socket 260 can easily be 
changed or interchanged . While this is desirable from the view point of minimizing spare parts stock piling 
and max.m.z.ng manufacturing flexibility, tho nonsealed socket does pose security risks and problems 

50 However, in accordance with the pretcnt invention, cryptographic techniques are utilized to verify the * en 
ntegrity of the nonsecure portion of the circuit board, 250, via means of cryptographic processing by the 

b0DftJ ' m mic «>P'<>«»™ 220 ™V be of any type, with its section being 
thl micro™ ° P k' g 6PeCd ' mMruction sel capabilities, and cost considerations. In addition 

me microprocessor 220 may b<: composed of a plurality of circuits including a general purpose 

55 ^processor (of a 4. 3, 1 0, 32, ,tc. bit, register length), in conjunction with special purpose peripheral 

Ret e'rrino to fT^ ' " numbcr cr UnCherS ' ' aSl P'oce«or,. fast ^£e£«c 

em£S£ clnTemn ' 'n UtiM ' ed to accomplish the invention of the illustrated 

(F?^ rr;3fJ:,V »y ^ference to the encryption (Figure 3, and decryption 

60 Referring to Figure 3, the encryption process, utilized for creating a verifiably secure memory for insertion 

P^e^ 3i0th fX F '»™ ?> * """""ed f-ow cha'rt form. Th^ "oTdu^ 6 ° 
reserled^ ^ " ""* s °/ lhc nonsecure ™™ry are designated as a validation word W and 

ro e g 7am —V ^ Signed as the vector R. A control 

contents of the nonsealP, J ° encr ™ Uon ^ems memory and designated as the 

contents of the nonsealed „nrj nonMxure memory (the vector R). The validation word W is as yet undefined. 65 
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but will represent the encrypted key to insure the Integrity of the remainder of th* ron.Pnr, of ,k 

s:?fT s,ep 320 a v ,te9er va,ue f,r) is r e r r;^ 0 ra;^ 

Proceedtng to step 330, a validation word W is computed from the vbIhp Ff m h%# rr.» 9n # 
2"!°" '• Th »»- *■ E is ulill.e* in lh..nc W ion process. E IW) should -Ji.™ =. 

„S?K!? r ^ Va "' da,i0n W °' d W is P ,aced in Ihe —cry locations which had been se, M 
stVo 3^"Vh™t u ' ,he ™" SB »'« !0 memof y- At this point the encryption proces has ended as ev.denced at 
Z I a .Vh , > k nonsea,ed ™mory (vector R) plus the validation word (appropriately Seated in 

15 Fo f ,1 V h S 6 COmm,,,ed ,0 ,he ™™™>° 3"^ nonsea.ed memory (e.g. ROM EPROM RAM, , B 
For funher deta.ls on one way mapping functions, and public key cystography concerns rXpn- '- 15 
made to the literature in genera., such as "A Method for Obtaining nS!^*-*}' ' 
Cryp.ocism Systems", by R.L. Rives., e. a... as pub.ished in the Feba, y 197 < 7 0 urn7v ZnL% ■ 

20 reference. The Mathematics of Public Key Cryptography" bv Martin F Mpii man I k. ■! ^ ^ , 

s-ep .00. The process procee*T^ F r * "* u * » 

™n,»aled memory hav,„o< been ,,,n„ e , sa „i,„ EID|F| "»' " f ™ °"'v when ,he coniems ol .he „ 

In either even,, the tainted Lelot chio *hn ?m hi , h ' ePe3,S S ' 3r1,n9 393in 31 S,ep 400 wi,h power u <>- 
60 or simply system or manu,Tctu7ng error * Umed 0Ver '° 3U * h ° ri,ieS ,0 ' ev3loa,i ° n as '° '""PTing 

M^'S™*™^ £ V^nT ' ' T il,US,r3,ed Gmb0diment ' "OM "0 in the sealed 

portion of tho -irrui boa d 25 T * e "'«"°n P'°9ram ,o monitor the security of the nonsealed 
plubliclv av-iiiahi'p f . conia.n.ng the plugged in nonsealed memory 260. The function F is a 

« non^ ,ha ' ,hC Si9na,U ' e F,a ' P '° vides a P^Hcly available signature of he 

65 nonsealed memory conten.s loss , he ., M ; on chec , worrJ w , while , he encrypIion fu 9 c „ on £ js pu e b|ic , y 
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available to provide for a publicly available encr yp'ion key check word E(W). By computing the validation 
check word W using a secret decryption key, function D r which is the inverse of the public encryption 
function E, the integrity of the entire contents of thu nonseelcd memory (both the validation word W and the 
remaining contents) can be protecied and dotectod in accordance with the present invention's teachings. 

An example may be illustrative. Presume tho nonsealed memory to be protected is an EPROM having a 
capacity of 20<3 bytes. The last 8 bytes oro sot oside as the validation word W, and the remainder is 
partitioned into 408 five byle words 1 0 0 , D, ... D^ 7 K Define 408 nmsnecified integers (P,, P 7t ... P, 07 ) and an 
additional prespecified integer P^. Additionally, o large composite integer XNBase is prespecified, F(R) and 
E(W) can then be computed as follows: 



10 



15 



FIR) =1 Wi^lmoduloXNB^e). 
i = o 
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EiW) = W P40a (modulo XNBase). 

The validation check procedure can bo modified slightly such that if F(R) plus E(W) (modulo XNBase) equal 

2 0 to 0 then the integrity of the EPROM is questioned and the system goes to the alarm mode. This example in 
its modhied format has been implemented with a BASIC language program ind has been successfully tested 
on an EPROM from an electronic slot machine. Tho BASIC lanpuage program and EPROM object code 
hexdump listing ; : '\. £ !ra!ed in F^yes 5o-d. WhH. raSIC language was utilized in the illustrated program 
of Figure 5, any computer programming longuoyo could bo utilized with an appropriate system. In the 

25 illustrated system of Figure 1 -0, all arithrnotic operations were exact modulo (XNBase), double precision 
numbers exact to 16 digits. However, other cryptographic mathematical techniques could be utilized equally 
we!!, and implemented in accordant with Ihe teethings of the present invention. 

It will be understood by those skilled in tho on that other functional and operative relationships between 
the data and validation information con ho used consistent with the teachings of the present invention. 

30 Furthermore, m performing the verification funciion, operative relationships in addition to or instead of 
comparison can be used consistent with Iho teachings of the present invention. 

While there have been described above vnrious embodiments of system and methods for guaranteeing 
the integrity of the control program of a rambling machino having sealed and nonsealed portions for the 
purpose of illustrating the manner in which iho invention may be used to advantage, it will be appreciated 

35 that ihe invention ,s not limited ihereto. Accordingly, any modification, variation, or equivalent arrangement , R 
w.tn.n the scope of the accompanying cairns should be considered to be within the scope of the invention. 

CLAIMS 



1 - A system for selectively operating in on U of a plurality of modes responsive to a determined system 
integrity comprising: 40 

ia) a nonsecure portion of the system having data and validation information in a portion therein 
yot a secure portion of the system compritod of: 

11 1 means for deriving a first value from the data-according to a first relationship; 
45 relationship 63 " 5 ^ denV, ' ng 3 SeCOnd voluo from taid validation information by means of a second 
(3) means for operatively relating said fir« and second values to determine system integrity 
operative7y?e?a S ting 3CtIValin9 S3i ° SySICm 10 0 6c,ccted operational mode responsive to said means for 

50 3 J^!^ 

and ihe inttm r„?fh n ^'"^ ° MhC nonsecure * cryptographically verifiable, 

and the integrity of the secure portion ,s none; yf;tographicalfy verifiable 

da,a «%szzn™; 'z^z^r^ in ,h * said v3iida,ion infor ™ ,ion - w 

55 6 ?S ZsxlZ 11 !n r\T ? r /hc ' ein " id 'elo.ionship is ,he inverse of ,he third relationship. 

-nH „ J h Sys,emas in C,3lm 1 ,ur1he ' choc ocioii,cd in that said means (or operatively relating provides bad 
ond good system mtegrity outputs .rrjicivu of the determined system integrity 9 

opera Jona'moT. ? ^'T ""^ ' 0r aC,iv3,in 9 sald ^ m a «iva,es said system ,o a first 

C n k ion ™t eSP °" '° 90&d output and activates said system to a second 

60 operational mode to a bad system intt 0 riiy output 
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10. The system as in Claim 4 or 5 wherein said first and second relationships are public and said third - 
relationship is secret. 

11. The system as in Claim 4 or 5 wherein s»;d first, second and third relationships are one way functions 

12. The system as in Claim 1 wherein said first relationship is further characterized in the! changing anv 
5 of the data changes the first value. 

13. They system as in Claim 1 further characterized as a gaming system. 5 

1 4. The system as in Claims 1 or 2 or 3 or 4 or 5 or 6 or 7 or 8 or 1 2 further characterized as a gaming 
system. a y 

1 5. The system as in Claim 10 further characterized as a gaming system. 
10 16. The system as in Claim 1 1 further characterized as a gaming system. 

17. The system as in Claim 9 further characterized as a gaming system. 10 

18. The system as in Claim 17 wherein said noraml operation mode is a player-responsive mode. 

19. The system as in Claim 13 further characterized in that said secure portion is physically sealed 

20. A system as in Claim 1 or 13 further characterized in that said data and validation information are 
15 loaded into said nonsecure ponion from an apparatus remotely located relative to the system. 

21. The system as in Claim 1 or 13 wherein said nonsecure portion includes a memory, and said secure 
portion includes a processor and a memory. 

22. The system as m Claim 1 or 13 further comprising; 

interface means for communicating with a device external to the system, 
20 means for loading the nonsecure portion with received communications'responsive to the interface 

means. ^° 

23. The system as in Claim 22 wherein said received communications is further characterized as said 
data and validation information. 

24. The system as in Claim 22 further comprising: 

25 means for communicating the determined system integrity to a device external to the system 

25. The system as in Claim 1 or 13 wherein said secure portion of the system is remotely located relative 
to said nonsecure portion. 

26. The system as in Claim 1 or 1 3 wherein said secure portion comprises a processor and a memory 
where.n sa.d processor executes instructions from said secure memory to derive said f : rsi and second 

30 values. 

27. The system as in Claim 8 further characterized in that said first mode is a player responsive mode 3 ° 
and said second mode rs a player nonresponsive mode. 

28. The method as in Claim 27 wherein said second mode activates an alarm. 

29. A system for insuring the integrity of a remotely located downloaded memory comprising- 

35 (a) a controller including encryption circuitry for deriving validation information from data by means of a ^ 
first relationship and a second relationship having an inverse, 

(b) a system, remotely located relative to said controller, including a memory, 

(c) means for communicating data and validation information from said controller to said remotely 
located system for storage in said memory, 

40 (d) verification means comprised of: 

(1 ) means for deriving a first value from the data contents of the memory by said firs- relationship* 4 ° 
2 means for deriving a second value from said validation information by said inverse relationship; 
(3) means for operatively relating said first and second values for providing an output indicative of 
system integerity, and 

45 W means for manifesting an action responsive to said system integrity output. 45 

30. The system as in Claim 29 wherein said verification means is remotely located relative to said 
controller. 

31. The system as in Claim 30 further characterized in that said first relationship and inverse second 
relationship are public and said second relationship is secret. 

50 32. The system as in Claim 30 wherein said remotely located system is a gaming system. 50 
functions * SY5tem 3S C ' a ' m 30 wherein said first ' second and inverse relationships are one- way mapping 

34. The system as in claim 30 wherein said action is further characterized as activating said system to a 
norma! operable mode responsive to an output of good system integrity, and activating said system to an 

55 alarm mode responsive to an output of bad system integrity. 

35. The system as in Claim 30 wherein soid remotely located system is further comprised of data 
processing means. 

36. The system as in Claim 30 wherein said controller is operatively coupled to selectively communicate 
with a plurality of remotely located systems. 

60 37. The system as in Claim 36 further characterized in that at least one of said remoiely located systems fin 
is a gaming system. 1 DU 

38. The system as in Claim 37 wherein each of said remotely located systems is operatively configured 
responsive to communications from said controller to the respective remotely located system. 

39. A gaming system comprising: 
55 (a) a circuit board- 
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(b) r. nonsecure portion of the circuit board, the integrity of which is cryptographically detectable, havir.g 
a memory having data and validation information stored therein, wherein the validation information is 
derived from the data information according to a public first relationship and a secret second relationship 
having a public inverse relationship; ^^^^-^^ 
5 (c) a secure portion of tho circuit board having processing electronic^^^H^Bhereon, the integrity of 
the secure portion being detectable. ^^B^^r 
wherein said secure portion of tho circuit board is further comprised of: 
(1) means for deriving o first value from the data omfpr, atopm according to .he public first 
relationship, 

10 (2) means for deriving o tecond value from said validation word by means of said public inverse 
relationship, 

(3) means for operating on taid first and second values to provide an integrity signal, 

(4) means for activating said system to a first mode responsive to a first integrity signal indicative of 
good system integrity, and 

1$ (5) means for activating eatd system to a second mode responsive to a second integrity signal ^ 
indicative of bad system integrity, 

40. The system as in Claim 39 wherein said secure portion is further comprised of a processor and a 
second memory. 

41. The system as in Claim 39 wherein said first, second and inverse second relationships are one-way 
20 functions. 

42. A system as in Claim 39: 

wherein said first relationship has the characteristic that changing the contents of said memory changes 
said first v?' 

43. The system of Claim 39: 
25 wherein said second rclutlor* !„p is a one-way trap-door function. 

44. A gaming system compriting: 

(a) a cabinet having a ditp'ay area and a user control; 

(b) a circuit board mounted within the cabinet; 

fc) a nonsecure portion of tho circuit board, the integrity of which is cryptographically detectable, having 
30 a memory having data and validation information stored therein, wherein the validation infomation is 
derived, by means of a tecond relationship having an inverse relationship, from a first value derived from 
and changing according to a first relationship responsive to the data contents; 

id) a secure portion of the circuit board having verifiably good integrity comprising: 

(1) means for deriving a second value from the data contents of the first memory according to the first 
35 relationship, 

(2) means for derivir»t; o third value from said validation information by means of said inverse 
relationship, 

13) means for providing hn integrity output responsive to opening on said second and third values, 
(4) means for activating taid system to a first mode responsive to a first integrity output, and 
40 <5) means for activating taid system to a second mode responsive to a second integrity output. 40 

45. The system as in Claim 44 wherein said first integrity output is indicative of good system integrity 
and said second integrity output is indicative of bad system integrity. 

46. The system as in Claim 45 wherein said first mode is funher characterized as activating said system 
to a user control responsive syttom. 

45 47. The system as in Claim 45 or 46 wherein said second mode is further charactered as activating an « 
alarm. 3 H ^ 

48. A gaming system oporahle in a player responsive mode and an alarm mode, comprising* 

a ,.rst memory having data and validation information contents therein, wherein said validation 
mtormat.on ,s operatively otsocioted with the remaining contents of the nonsecure memory 
50 a secure memory; 

means for validating tho integrity of the first memory comprising: 

means for executing inductions from the secure memory so as to derive a first value operatively 
associated with the data contents of the first memory; 

.eel"? !T e * u ec u UIin0 wtruclions from the secure memory so as to derive a second value operatively 
55 associated with the validation information; evvvtauvwy 

fir« 5SV^ OOOd/faulty system integrity result output responsive to operatively relating said 

intTgXVa^d 301 ^ 11 ^ ^ t0 ^ m ° dc responsive t0 3 resu,t °"P" of faulty system 

60 good"^ 5VSlC ' m 10 ^-responsive mode responsive to a result output of 60 

49. The system as in Claim 48' 

c^:^!^:^'^ Cha ' aC,eriS ' iC Ih3t Cha "^9 «"e contents of said firs, memory 

65 50 - A 9aming system as in Claim 48 or 49- 
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wherein said validation information is derived from said first value, 
functions^ ** ** Whe ' ein SBi6 firSl ' SeCOnd 3nd mverse second 'elaiionships are one-way 

52. A system for insuring the integrity of information loaded into the system, comprising- 
5 (a) a memory having initially undefined contents; 

(b) means for loading data and validation information into the contents of the memory wherein said d-ta & 
is related to said validation information according to a public first and a secret second relationship 

(c) means for verifying the integrity of the loaded contents comprising: 

I i } means for deriving a first value according to the first relationship responsive to the data contents of 
1Q me memory, 

(2) means for deriving a second value according to a public inverse of the second relationshio 10 
responsive to the validation information, 

i ' T^ 0 ' 0perati y efy re,3lin 3 lhe firsl and se «>nd values to provide an integrity output indicative 
of good and bad integrity of the memory contents, "utcative 

15 (d) means i'or controlling the operable status of the system further comprising* 

output' and 6 ™ 5 aCtiV8tin9 S3id SVStem t0 8 n ° rmal °Pe«tional mode responsive to the good integrity 15 

(2) means foractivating said system to an alarm mode responsive to soid bod integrity output 

53. The system as in Claim 52: M 
20 w herein said system is a gaming system. 

54. The system as in Claim 53 further comprising: 20 
an interface port for communicating with an external device; 

means responsive to said interface port for loading said memory with the communications received from 
said external device. *-v.civcu uum 

25 55. The system as in Claim 53 or 54 wherein said memory is located in a nonsecure portion of the second 
system, and said means for verifying the integrity and means for controlling the operable status are located 
in a secure portion of the second system. 

56. The system as in Claim 52 or 53 having user responsive input means, wherein said normal 
operational mode is further characterized as being responsive to said user responsive input means 
30 57. A method of controlling the operable mode of a system having a memory with data and validation , n 
information contents, comprising the steps of: vauoauon 30 

deriving a first value from the data contents according to a first relationship 
deriving a second value from the validation information according to a second relationship- 
operat.vely relat.ng said first and second values«o as to determine system integrity 
35 activating the system to a selected operative mode responsive to the determined system integrity « 
58. The method as in Claim 57 further characterized in that said system is a gaming system 
59 The method as ,n Claim 57 further characterized in that said validation information is derived from 
said data content according to the first relationship and an inverse to the second relationship 

60. The method asm Claim 59 further comprising the steps of: 

40 an a d c,iva,in 9 system to a normal operative mode responsive to a determination of good system integrity, 4 0 

activating said system to an alarm operative mode responsive to a determination of bad system integrity 

61. The method asm Claim 57 or 58 further comprising the steps of: 'niegrn\. 
making the first and second relationships public; 

45 maintaining the inverse to the second relationship in secrecy. 

62. The method as in Claim 57 or 58 further comprising the steps of- 

com^T,^ <irSt Va ' Ue bV mea " S ° f 3 fUnC,i ° n WhiGh eXhibi,S ,ne characteristic that changing any of the 
contents of the nonsecure memory changes the first value 

50 comprising T^To" ^ " Wherei " Va " d3,i0n inf ° rma,i ° n * ^ "«"" «'« 

by w'hich !n i e T i a H d , SeC ° n f V3,Ue ,r ° m $aid Va ' ida,i0n inf °' ma,i ° n b V means of on inverse derivation ,0 that ^ 
by which the validation information is obtained from the first value 

2",Ji me, r h °. d ^ a,i " 9 3 mem0rY h3vin9 verifi3ble *«ure data contents comprising the steps of • 

« con r 2 lutll* ' Ue ,r ° h m d3 ' 3 f° n,en,S ° f ,he mem0rY b * 3 fi ' 5 ' relationship wherefn changing the 
55 contents of the memory changes the first value; 

deriving a validation value from said firs: value by a second relationship having an inverse " 
reiationsnipjand 

storing and valido;!';'' vMjr> j n said memory contents. 

60 related to said data content by first and second relationships, comprising the steps of- fi n 
deriving a first value from the data content of the memory by the first relationship- ' 
deriving a second value from said validation value by an inverse to said second relationship- 
rJZn ,h 9 r n , ,n, ^ ri,V ° u, u pul indicative of good and bad system integrity responsive to operative.y 
relating the first value and the second value; 
65 providing 3 first activation signal response to said integrity output in.licniinn good system integrity and 65 
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Dro\. iding a second 3divation signal responsive to said integrity output indicating bad system iniegrity. 

66. The method of Claim &4 or 65 wherein said first relationship and inverse second relationship are 
public and said second relationship is secret. 

68. In a system, having a seafod secure circuit portion comprising „ processor and a first memory, said 
system also having an insecure circuit portion comprising a second memory, a method of insuring the 
integrity oi the insecure portion of the system comprising the steps of; 

deriving a first value from the daKi content of the second memory by a first relationship wherein changing 
the contents of the second memory changes the first value; 

deriving a validation value from said first value by a second relationship having an inverse relationship 
and 

storing said validation value iit a predefined location in said second memory. 
60. The method as in Claim 68 further comprising the steps of: 

(a) verifying the integrity of the second memory by means of said secure portion, further comprising the 

steps of: 

(1) deriving a third value from the contents of the second memory by said first relationship; 
12) deriving a fourth value from said validation value by said inverse relationship; and 
(3) operativeiy relating the third value to the fourth value and providing a relational output; and 
lb) controlling the operable status of the system further comprising the steps of: 

( 1 ) activating said gammrj system to o normal- responsive mode responsive to said relational output 
20 indicating good system intensity, and 

(2) activating the system to on ;ilarrn mode responsive to said relational output indicating bad system 
integrity. 

70. The metho : z'. Haim 68 n- 6n * r.»,r.r rhnrarterized in that sai-' first and inverse second relationships 
are public sr.o . ^cond relation:. hip is secret. 

71. The method of Claim 70 fut thrr characterized in that said second memory is nonvolatile. 

72. The method of Claim G8 or e'J fut I her characterized in that system is a gaming system. 

73. The method of Claim 60 f unher characterized in that said normal-responsive mode is a player 
responsive mode, and said alarm mode is a player nonresponsive mode. 

7i. A method of Claim 7 1 wherein said step of operativeiy relating further comprises the steps of: 
comparing the magnitude of sain first and second values, and indicating said good system integrity by a 
relational result of equality, ami indicaiincj said bad system integrity by a relational result of inequality. 

75. The method of Claim 7 1 further characterized in that said first, second and inverse second 
relationships are one-way mappmrj functions. 

76. In a gaming system, hav.r,f ( a player responsive mode and a player nonresponsive alarm mode, said 
system comprising a non<»-Liite mr-mnry having data and validation information, said validation information 
bemg operativeiy related to the data, said sytem also having a secure memory, a method for selectively 
activating the system to a predetermined mode responsive to validating the integrity of the nonsecure 
memory, comprising the steps of: 

'al executing instructions from the secure memory so as to derive a first value representative of the 
contents of the nonsecure memory; 

lb) executing instructions horn the secure Memory so as to derive a second value representative of the 
validation word; 

(c» ooerat.vely relating the fu-.t and second values to provide an indication of system integrity; 
ld> activating said gamine, sy:.n : m to said player nonresponsive alarm mode responsive to an indication 
4- of improper system integrity, 
(e) activating said gaming : 
system integrity. 

77. The method as in Claim 76 further comprising the steps of: 

deriving said first value by means ol a function which exhibits the characteristic that changing any of the 
contents of the nonsecure memory charges the first value. 

78. The method as in Claim 77: 

wherein said validation word \ % derived from said first value, further comprising the steps of • 
determining sa ,d second value from said validation word by means of an inverse derivation to that by 
which the validation word is obtained from the first value. 

70. The method as in Claim 76 wherein said first value is derived by 
operaiively relating said data to a l.rst functional mapping; and 

further characterized in that said validation information is operativeiy reloted to said first value according 
to a second functional mapping, 3 
wherein said second value is derived by 

60 pn er TK VeiY fe ' ating S3id vul »*'""" '"'o'mation to an inverse of said second functional mapping 
80. The method of Claim 67 or Sfi or 76 further comprising the steps of: 

ihi s7s r ^m' CB,m9 S3id datJ ° nt) ' V ' : ' 0f:,; " ttJ v0,idatlon information to the system from a source external to 
storing said communicatee f da»a and associated validation information in said memory 
65 method for conuoii.ru, the operative mode-of a system, having local and remote devices 
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responsive to determined integer/ of communicated information comprising the steps cf: 

operating upon data information M tho remote device according to first and second relationships t- derive 
validation information, 

communicating said data and validation information from the remote device to the local device, 
5 operating upon said data informai-on ot the local device, according to said first relationship to derive a 
first value; 

operating upon said validation information ot said local device, according to an inverse of said second 
relationship, to derive a second value; 

controlling the operative mode of the sysu m responsive to opera.'ively relating said first and second 
JO va'ues. 

82. The method as in Claim 81 further characterized in that there are a plurality of local devices wherein 
the step of controlling the operate mode of the system further comprises the steps of: 

selectively controlling the operative mode of each of said local devices responsive to the operative 
relationships for each respective Ut%\ and second values. 
1 5 83. The method as in Claim 81 further comprising the steps of: 

deriving said first valuo by meao* 0 f n function which exhibits the characteristic that changing any of the 
contents of the nonsecure memory ch;>np.c:. tho first value. 

84. The method as in Claim 81 //herein r.aid validation information is derived from said first value further 
comprising the steps of: 

20 determining said second value from r.aid validation information by means of an inverse derivation to that n 
by wrvch the validation word is obtomed from the first value. 

85. The method as in Claim 31 further characterized in that said first and inverse second functional 
relationships are public, and said i&',or.<J functional relationship is secret. 

86. The method as in Claim 61 or further characterized in that said first, second and inverse second 
25 functional relationships are one-wa/ functions. 

87. A system for selectively opc/Dt.no in one of a plurality of modes responsive to a determined system ^ 
integrity substantially as herein rJt^.nbcd wiih reference to the accompanying drawings 

88. A system for insuring the iM'yjr.ty of a remotely located downloaded memory substantially as herein 
described with reference to the acompanyiny drawings. 

30 89. A gaming system substantia*, as herein described with reference to the accompanying drawings 30 

90. A gaming system operable m a (>l;iycr responsive mode and an alarm mode substantially as herein 
described with reference to the accompanying drawings. 

91. A system for insuring the ir :egnty 0 f information loaded into the system substantially a* herein 
described with reference to the acoo'npanying drawings. 

35 92. A^ihodofcontrollingih-o^r.-.blemodeofasystemhavingamemory.withdataandvalidation ,c 
information contents substantially ^ h-ron described with reference to the accompanying drawings 

93. A method for creating a m^-.ory hyvim, verifiable secure data contents substantially as herein 
Described with reierence to the aooo'npanying drawing 

94. A method for verifying tho .r-r^nty of a memory having data content and validaton value content 

40 related to ss.d data content by f.r.r onrl r .cr.orul relationships substantially as herein described with reference 40 
to the accompanying drawings. 

95. In a system, having a seal-; :.eo,re orci. , portion comprising a processor and a first memory, said - 
system also having an insecure or v;.| portion comprising a second memory, a method of -nsuring me 
.ntegnty of the insecure portion of .v.e r.yMcrn substantially as herein described with reference to the 

45 accompanying drawings. 

96. In a gaming system, having plover responsive mode and a player nonresponsive alarm mode said 45 
system comprising a nonsecure rr.-r.ory having data and validation information, S3id validation information 
being operat.vely related to the da:*, said system also having a secure memory, a method for selectively 
act.vat.ng the system to a predetermine! mode responsive to validating the integrity of the nonsecure 

50 memory, substantially as herein dov.nbed with reference to the accompanying drawings r 0 

97. A method for controlling operative mode of a system, having local and remote devices 
responsive to determined integrity 0 t communicated information substantially as herein described with 
reference to the accompanying dr;;//m;j:.. 
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